CVE-2025-24564

CVE-2025-24564 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Contact Form With Shortcode WordPress plugin developed by aviplugins.com, impacting all versions from unknown initial release through 4.2.5.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, but user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted links or inputs reflected in the contact form, allowing script injection into the victim's browser session.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-with-shortcode/vulnerability/wordpress-contact-form-with-shortcode-plugin-4-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this Reflected XSS issue in the plugin up to version 4.2.5, providing details for security practitioners on the affected component.